• No results found

Key distribution guarantees An agent knows a session key if he

antees also convey a stronger form of authentication

- non-injective agreement on the session key

lemma Kas_Issues_A:

" [[ Says Kas A (Crypt (shrK A) {|Key authK, Peer, Ta, authTicket |}) ∈ set evs;

evs ∈ kerbIV ]]

=⇒ Kas Issues A with (Crypt (shrK A) {|Key authK, Peer, Ta, authTicket |})

on evs" hproof i

lemma A_authenticates_and_keydist_to_Kas:

" [[ Crypt (shrK A) {|Key authK, Peer, Ta, authTicket |} ∈ parts (spies evs); A /∈ bad; evs ∈ kerbIV ]]

=⇒ Kas Issues A with (Crypt (shrK A) {|Key authK, Peer, Ta, authTicket |})

on evs" hproof i

lemma honest_never_says_newer_timestamp_in_auth:

" [[ (CT evs) ≤ T; A /∈ bad; Number T ∈ parts {X}; evs ∈ kerbIV ]] =⇒ ∀ B Y. Says A B {|Y, X |} /∈ set evs"

hproof i

lemma honest_never_says_current_timestamp_in_auth:

" [[ (CT evs) = T; Number T ∈ parts {X}; evs ∈ kerbIV ]] =⇒ ∀ A B Y. A /∈ bad −→ Says A B {|Y, X |} /∈ set evs" hproof i

lemma A_trusts_secure_authenticator:

" [[ Crypt K {|Agent A, Number T |} ∈ parts (spies evs); Key K /∈ analz (spies evs); evs ∈ kerbIV ]]

=⇒ ∃ B X. Says A Tgs {|X, Crypt K {|Agent A, Number T |}, Agent B |} ∈ set evs ∨

Says A B {|X, Crypt K {|Agent A, Number T |}|} ∈ set evs" hproof i

lemma A_Issues_Tgs:

" [[ Says A Tgs {|authTicket, Crypt authK {|Agent A, Number T2 |}, Agent B |} ∈ set evs;

Key authK /∈ analz (spies evs); A /∈ bad; evs ∈ kerbIV ]]

=⇒ A Issues Tgs with (Crypt authK {|Agent A, Number T2 |}) on evs" hproof i

lemma Tgs_authenticates_and_keydist_to_A:

" [[ Crypt authK {|Agent A, Number T2 |} ∈ parts (spies evs); Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key authK, Number Ta |}

∈ parts (spies evs); Key authK /∈ analz (spies evs); A /∈ bad; evs ∈ kerbIV ]]

6.12 Key distribution guarantees An agent knows a session key if he used it to issue a cipher. These guarantees also convey a stronger form of authentication - non-injective agreement on the session key85

=⇒ A Issues Tgs with (Crypt authK {|Agent A, Number T2 |}) on evs" hproof i

lemma Tgs_Issues_A:

" [[ Says Tgs A (Crypt authK {|Key servK, Agent B, Number Ts, servTicket |})

∈ set evs;

Key authK /∈ analz (spies evs); evs ∈ kerbIV ]] =⇒ Tgs Issues A with

(Crypt authK {|Key servK, Agent B, Number Ts, servTicket |}) on evs" hproof i

lemma A_authenticates_and_keydist_to_Tgs:

" [[Crypt authK {|Key servK, Agent B, Number Ts, servTicket |} ∈ parts (spies evs); Key authK /∈ analz (spies evs); B 6= Tgs; evs ∈ kerbIV ]]

=⇒ ∃ A. Tgs Issues A with

(Crypt authK {|Key servK, Agent B, Number Ts, servTicket |}) on evs" hproof i

lemma B_Issues_A:

" [[ Says B A (Crypt servK (Number T3)) ∈ set evs; Key servK /∈ analz (spies evs);

A /∈ bad; B /∈ bad; B 6= Tgs; evs ∈ kerbIV ]] =⇒ B Issues A with (Crypt servK (Number T3)) on evs" hproof i

lemma B_Issues_A_r:

" [[ Says B A (Crypt servK (Number T3)) ∈ set evs;

Crypt (shrK B) {|Agent A, Agent B, Key servK, Number Ts |} ∈ parts (spies evs);

Crypt authK {|Key servK, Agent B, Number Ts, servTicket |} ∈ parts (spies evs);

Crypt (shrK A) {|Key authK, Agent Tgs, Number Ta, authTicket |} ∈ parts (spies evs);

¬ expiredSK Ts evs; ¬ expiredAK Ta evs; A /∈ bad; B /∈ bad; B 6= Tgs; evs ∈ kerbIV ]] =⇒ B Issues A with (Crypt servK (Number T3)) on evs" hproof i

lemma u_B_Issues_A_r:

" [[ Says B A (Crypt servK (Number T3)) ∈ set evs;

Crypt (shrK B) {|Agent A, Agent B, Key servK, Number Ts |} ∈ parts (spies evs);

¬ expiredSK Ts evs;

A /∈ bad; B /∈ bad; B 6= Tgs; evs ∈ kerbIV ]] =⇒ B Issues A with (Crypt servK (Number T3)) on evs" hproof i

lemma A_authenticates_and_keydist_to_B:

" [[ Crypt servK (Number T3) ∈ parts (spies evs);

Crypt authK {|Key servK, Agent B, Number Ts, servTicket |} ∈ parts (spies evs);

86 6 THE KERBEROS PROTOCOL, VERSION IV

Crypt (shrK A) {|Key authK, Agent Tgs, Number Ta, authTicket |} ∈ parts (spies evs);

Key authK /∈ analz (spies evs); Key servK /∈ analz (spies evs); A /∈ bad; B /∈ bad; B 6= Tgs; evs ∈ kerbIV ]]

=⇒ B Issues A with (Crypt servK (Number T3)) on evs" hproof i

lemma A_authenticates_and_keydist_to_B_r:

" [[ Crypt servK (Number T3) ∈ parts (spies evs);

Crypt authK {|Key servK, Agent B, Number Ts, servTicket |} ∈ parts (spies evs);

Crypt (shrK A) {|Key authK, Agent Tgs, Number Ta, authTicket |} ∈ parts (spies evs);

¬ expiredAK Ta evs; ¬ expiredSK Ts evs; A /∈ bad; B /∈ bad; B 6= Tgs; evs ∈ kerbIV ]] =⇒ B Issues A with (Crypt servK (Number T3)) on evs" hproof i

lemma A_Issues_B:

" [[ Says A B {|servTicket, Crypt servK {|Agent A, Number T3 |}|} ∈ set evs;

Key servK /∈ analz (spies evs);

B 6= Tgs; A /∈ bad; B /∈ bad; evs ∈ kerbIV ]]

=⇒ A Issues B with (Crypt servK {|Agent A, Number T3 |}) on evs" hproof i

lemma A_Issues_B_r:

" [[ Says A B {|servTicket, Crypt servK {|Agent A, Number T3 |}|} ∈ set evs;

Crypt (shrK A) {|Key authK, Agent Tgs, Number Ta, authTicket |} ∈ parts (spies evs);

Crypt authK {|Key servK, Agent B, Number Ts, servTicket |} ∈ parts (spies evs);

¬ expiredAK Ta evs; ¬ expiredSK Ts evs; B 6= Tgs; A /∈ bad; B /∈ bad; evs ∈ kerbIV ]]

=⇒ A Issues B with (Crypt servK {|Agent A, Number T3 |}) on evs" hproof i

lemma B_authenticates_and_keydist_to_A:

" [[ Crypt servK {|Agent A, Number T3 |} ∈ parts (spies evs); Crypt (shrK B) {|Agent A, Agent B, Key servK, Number Ts |}

∈ parts (spies evs);

Key servK /∈ analz (spies evs);

B 6= Tgs; A /∈ bad; B /∈ bad; evs ∈ kerbIV ]]

=⇒ A Issues B with (Crypt servK {|Agent A, Number T3 |}) on evs" hproof i

lemma B_authenticates_and_keydist_to_A_r:

" [[ Crypt servK {|Agent A, Number T3 |} ∈ parts (spies evs); Crypt (shrK B) {|Agent A, Agent B, Key servK, Number Ts |}

∈ parts (spies evs);

Crypt authK {|Key servK, Agent B, Number Ts, servTicket |} ∈ parts (spies evs);

87

Crypt (shrK A) {|Key authK, Agent Tgs, Number Ta, authTicket |} ∈ parts (spies evs);

¬ expiredSK Ts evs; ¬ expiredAK Ta evs; B 6= Tgs; A /∈ bad; B /∈ bad; evs ∈ kerbIV ]]

=⇒ A Issues B with (Crypt servK {|Agent A, Number T3 |}) on evs" hproof i

u_B_authenticates_and_keydist_to_Awould be the same asB_authenticates_and_keydist_to_A

because the servK confidentiality assumption is yet unrelaxed

lemma u_B_authenticates_and_keydist_to_A_r:

" [[ Crypt servK {|Agent A, Number T3 |} ∈ parts (spies evs); Crypt (shrK B) {|Agent A, Agent B, Key servK, Number Ts |}

∈ parts (spies evs); ¬ expiredSK Ts evs;

B 6= Tgs; A /∈ bad; B /∈ bad; evs ∈ kerbIV ]]

=⇒ A Issues B with (Crypt servK {|Agent A, Number T3 |}) on evs" hproof i

end

7

The Kerberos Protocol, Version IV

theory KerberosIV_Gets imports Public begin

The ”u” prefix indicates theorems referring to an updated version of the pro- tocol. The ”r” suffix indicates theorems where the confidentiality assumptions are relaxed by the corresponding arguments.

abbreviation

Kas :: agent where "Kas == Server" abbreviation

Tgs :: agent where "Tgs == Friend 0"

axiomatization where

Tgs_not_bad [iff]: "Tgs /∈ bad"

— Tgs is secure — we already know that Kas is secure definition

authKeys :: "event list => key set" where "authKeys evs = {authK. ∃ A Peer Ta. Says Kas A

(Crypt (shrK A) {|Key authK, Agent Peer, Number Ta, (Crypt (shrK Peer) {|Agent A, Agent Peer, Key authK, Number Ta |})

|}) ∈ set evs}"

definition

Unique :: "[event, event list] => bool" ("Unique _ on _" [0, 50] 50)

88 7 THE KERBEROS PROTOCOL, VERSION IV consts authKlife :: nat servKlife :: nat authlife :: nat replylife :: nat specification (authKlife)

authKlife_LB [iff]: "2 ≤ authKlife" hproof i

specification (servKlife)

servKlife_LB [iff]: "2 + authKlife ≤ servKlife" hproof i

specification (authlife)

authlife_LB [iff]: "Suc 0 ≤ authlife" hproof i

specification (replylife)

replylife_LB [iff]: "Suc 0 ≤ replylife" hproof i

abbreviation

CT :: "event list=>nat" where "CT == length"

abbreviation

expiredAK :: "[nat, event list] => bool" where "expiredAK Ta evs == authKlife + Ta < CT evs" abbreviation

expiredSK :: "[nat, event list] => bool" where "expiredSK Ts evs == servKlife + Ts < CT evs" abbreviation

expiredA :: "[nat, event list] => bool" where "expiredA T evs == authlife + T < CT evs" abbreviation

valid :: "[nat, nat] => bool" ("valid _ wrt _" [0, 50] 50) where "valid T1 wrt T2 == T1 <= replylife + T2"

89

definition AKcryptSK :: "[key, key, event list] => bool" where "AKcryptSK authK servK evs ==

∃ A B Ts.

Says Tgs A (Crypt authK

{|Key servK, Agent B, Number Ts,

Crypt (shrK B) {|Agent A, Agent B, Key servK, Number Ts |} |})

∈ set evs"

inductive set "kerbIV_gets" :: "event list set" where

Nil: "[] ∈ kerbIV_gets"

| Fake: " [[ evsf ∈ kerbIV_gets; X ∈ synth (analz (spies evsf)) ]] =⇒ Says Spy B X # evsf ∈ kerbIV_gets"

| Reception: " [[ evsr ∈ kerbIV_gets; Says A B X ∈ set evsr ]] =⇒ Gets B X # evsr ∈ kerbIV_gets"

| K1: " [[ evs1 ∈ kerbIV_gets ]]

=⇒ Says A Kas {|Agent A, Agent Tgs, Number (CT evs1) |} # evs1 ∈ kerbIV_gets"

| K2: " [[ evs2 ∈ kerbIV_gets; Key authK /∈ used evs2; authK ∈ symKeys; Gets Kas {|Agent A, Agent Tgs, Number T1 |} ∈ set evs2 ]] =⇒ Says Kas A

(Crypt (shrK A) {|Key authK, Agent Tgs, Number (CT evs2), (Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key authK,

Number (CT evs2) |}) |}) # evs2 ∈ kerbIV_gets"

| K3: " [[ evs3 ∈ kerbIV_gets;

Says A Kas {|Agent A, Agent Tgs, Number T1 |} ∈ set evs3; Gets A (Crypt (shrK A) {|Key authK, Agent Tgs, Number Ta,

authTicket |}) ∈ set evs3; valid Ta wrt T1

]]

=⇒ Says A Tgs {|authTicket,

(Crypt authK {|Agent A, Number (CT evs3) |}), Agent B |} # evs3 ∈ kerbIV_gets"

90 7 THE KERBEROS PROTOCOL, VERSION IV

| K4: " [[ evs4 ∈ kerbIV_gets; Key servK /∈ used evs4; servK ∈ symKeys; B 6= Tgs; authK ∈ symKeys;

Gets Tgs {|

(Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key authK, Number Ta |}),

(Crypt authK {|Agent A, Number T2 |}), Agent B |} ∈ set evs4;

¬ expiredAK Ta evs4; ¬ expiredA T2 evs4;

servKlife + (CT evs4) <= authKlife + Ta ]]

=⇒ Says Tgs A

(Crypt authK {|Key servK, Agent B, Number (CT evs4),

Crypt (shrK B) {|Agent A, Agent B, Key servK, Number (CT evs4) |} |}) # evs4 ∈ kerbIV_gets"

| K5: " [[ evs5 ∈ kerbIV_gets; authK ∈ symKeys; servK ∈ symKeys; Says A Tgs

{|authTicket, Crypt authK {|Agent A, Number T2 |}, Agent B |}

∈ set evs5; Gets A

(Crypt authK {|Key servK, Agent B, Number Ts, servTicket |}) ∈ set evs5;

valid Ts wrt T2 ]] =⇒ Says A B {|servTicket,

Crypt servK {|Agent A, Number (CT evs5) |} |} # evs5 ∈ kerbIV_gets"

| K6: " [[ evs6 ∈ kerbIV_gets; Gets B {|

(Crypt (shrK B) {|Agent A, Agent B, Key servK, Number Ts |}), (Crypt servK {|Agent A, Number T3 |}) |}

∈ set evs6;

¬ expiredSK Ts evs6; ¬ expiredA T3 evs6 ]]

=⇒ Says B A (Crypt servK (Number T3)) # evs6 ∈ kerbIV_gets"

7.1 Lemmas about reception event 91

| Oops1: " [[ evsO1 ∈ kerbIV_gets; A 6= Spy; Says Kas A

(Crypt (shrK A) {|Key authK, Agent Tgs, Number Ta, authTicket |}) ∈ set evsO1; expiredAK Ta evsO1 ]]

=⇒ Says A Spy {|Agent A, Agent Tgs, Number Ta, Key authK |} # evsO1 ∈ kerbIV_gets"

| Oops2: " [[ evsO2 ∈ kerbIV_gets; A 6= Spy; Says Tgs A

(Crypt authK {|Key servK, Agent B, Number Ts, servTicket |}) ∈ set evsO2;

expiredSK Ts evsO2 ]]

=⇒ Says A Spy {|Agent A, Agent B, Number Ts, Key servK |} # evsO2 ∈ kerbIV_gets"

declare Says_imp_knows_Spy [THEN parts.Inj, dest] declare parts.Body [dest]

declare analz_into_parts [dest] declare Fake_parts_insert_in_Un [dest]

7.1

Lemmas about reception event

lemma Gets_imp_Says :

" [[ Gets B X ∈ set evs; evs ∈ kerbIV_gets ]] =⇒ ∃ A. Says A B X ∈ set evs"

hproof i

lemma Gets_imp_knows_Spy:

" [[ Gets B X ∈ set evs; evs ∈ kerbIV_gets ]] =⇒ X ∈ knows Spy evs" hproof i

declare Gets_imp_knows_Spy [THEN parts.Inj, dest] lemma Gets_imp_knows:

" [[ Gets B X ∈ set evs; evs ∈ kerbIV_gets ]] =⇒ X ∈ knows B evs" hproof i

7.2

Lemmas about

authKeys

lemma authKeys_empty: "authKeys [] = {}" hproof i

lemma authKeys_not_insert: "( ∀ A Ta akey Peer.

ev 6= Says Kas A (Crypt (shrK A) {|akey, Agent Peer, Ta,

92 7 THE KERBEROS PROTOCOL, VERSION IV

=⇒ authKeys (ev # evs) = authKeys evs" hproof i

lemma authKeys_insert: "authKeys

(Says Kas A (Crypt (shrK A) {|Key K, Agent Peer, Number Ta,

(Crypt (shrK Peer) {|Agent A, Agent Peer, Key K, Number Ta |}) |}) # evs) = insert K (authKeys evs)"

hproof i

lemma authKeys_simp: "K ∈ authKeys

(Says Kas A (Crypt (shrK A) {|Key K’, Agent Peer, Number Ta,

(Crypt (shrK Peer) {|Agent A, Agent Peer, Key K’, Number Ta |}) |}) # evs) =⇒ K = K’ | K ∈ authKeys evs"

hproof i

lemma authKeysI:

"Says Kas A (Crypt (shrK A) {|Key K, Agent Tgs, Number Ta,

(Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key K, Number Ta |}) |}) ∈ set evs =⇒ K ∈ authKeys evs"

hproof i

lemma authKeys_used: "K ∈ authKeys evs =⇒ Key K ∈ used evs" hproof i

7.3

Forwarding Lemmas

lemma Says_ticket_parts:

"Says S A (Crypt K {|SesKey, B, TimeStamp, Ticket |}) ∈ set evs =⇒ Ticket ∈ parts (spies evs)"

hproof i

lemma Gets_ticket_parts:

" [[Gets A (Crypt K {|SesKey, Peer, Ta, Ticket |}) ∈ set evs; evs ∈ kerbIV_gets ]]

=⇒ Ticket ∈ parts (spies evs)" hproof i

lemma Oops_range_spies1:

" [[ Says Kas A (Crypt KeyA {|Key authK, Peer, Ta, authTicket |}) ∈ set evs ;

evs ∈ kerbIV_gets ]] =⇒ authK /∈ range shrK & authK ∈ symKeys" hproof i

lemma Oops_range_spies2:

" [[ Says Tgs A (Crypt authK {|Key servK, Agent B, Ts, servTicket |}) ∈ set evs ;

evs ∈ kerbIV_gets ]] =⇒ servK /∈ range shrK & servK ∈ symKeys" hproof i

7.4 Regularity Lemmas 93

"evs ∈ kerbIV_gets =⇒ (Key (shrK A) ∈ parts (spies evs)) = (A ∈ bad)" hproof i

lemma Spy_analz_shrK [simp]:

"evs ∈ kerbIV_gets =⇒ (Key (shrK A) ∈ analz (spies evs)) = (A ∈ bad)" hproof i

lemma Spy_see_shrK_D [dest!]:

" [[ Key (shrK A) ∈ parts (spies evs); evs ∈ kerbIV_gets ]] =⇒ A:bad" hproof i

lemmas Spy_analz_shrK_D = analz_subset_parts [THEN subsetD, THEN Spy_see_shrK_D, dest!]

Nobody can have used non-existent keys!

lemma new_keys_not_used [simp]:

" [[Key K /∈ used evs; K ∈ symKeys; evs ∈ kerbIV_gets ]] =⇒ K /∈ keysFor (parts (spies evs))"

hproof i

lemma new_keys_not_analzd:

" [[evs ∈ kerbIV_gets; K ∈ symKeys; Key K /∈ used evs ]] =⇒ K /∈ keysFor (analz (spies evs))"

hproof i

7.4

Regularity Lemmas

These concern the form of items passed in messages Describes the form of all components sent by Kas

lemma Says_Kas_message_form:

" [[ Says Kas A (Crypt K {|Key authK, Agent Peer, Number Ta, authTicket |}) ∈ set evs;

evs ∈ kerbIV_gets ]] =⇒ K = shrK A & Peer = Tgs &

authK /∈ range shrK & authK ∈ authKeys evs & authK ∈ symKeys &

authTicket = (Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key authK, Number Ta |})" hproof i

lemma SesKey_is_session_key:

" [[ Crypt (shrK Tgs_B) {|Agent A, Agent Tgs_B, Key SesKey, Number T |} ∈ parts (spies evs); Tgs_B /∈ bad;

evs ∈ kerbIV_gets ]] =⇒ SesKey /∈ range shrK" hproof i

lemma authTicket_authentic:

" [[ Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key authK, Number Ta |} ∈ parts (spies evs);

evs ∈ kerbIV_gets ]]

=⇒ Says Kas A (Crypt (shrK A) {|Key authK, Agent Tgs, Number Ta,

94 7 THE KERBEROS PROTOCOL, VERSION IV

∈ set evs" hproof i

lemma authTicket_crypt_authK:

" [[ Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key authK, Number Ta |} ∈ parts (spies evs);

evs ∈ kerbIV_gets ]] =⇒ authK ∈ authKeys evs" hproof i

lemma Says_Tgs_message_form:

" [[ Says Tgs A (Crypt authK {|Key servK, Agent B, Number Ts, servTicket |}) ∈ set evs;

evs ∈ kerbIV_gets ]] =⇒ B 6= Tgs &

authK /∈ range shrK & authK ∈ authKeys evs & authK ∈ symKeys & servK /∈ range shrK & servK /∈ authKeys evs & servK ∈ symKeys &

servTicket = (Crypt (shrK B) {|Agent A, Agent B, Key servK, Number Ts |})" hproof i

lemma authTicket_form:

" [[ Crypt (shrK A) {|Key authK, Agent Tgs, Ta, authTicket |} ∈ parts (spies evs);

A /∈ bad;

evs ∈ kerbIV_gets ]]

=⇒ authK /∈ range shrK & authK ∈ symKeys &

authTicket = Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key authK, Ta |}" hproof i

This form holds also over an authTicket, but is not needed below.

lemma servTicket_form:

" [[ Crypt authK {|Key servK, Agent B, Ts, servTicket |} ∈ parts (spies evs);

Key authK /∈ analz (spies evs); evs ∈ kerbIV_gets ]]

=⇒ servK /∈ range shrK & servK ∈ symKeys &

( ∃ A. servTicket = Crypt (shrK B) {|Agent A, Agent B, Key servK, Ts |})" hproof i

Essentially the same asauthTicket_form lemma Says_kas_message_form:

" [[ Gets A (Crypt (shrK A)

{|Key authK, Agent Tgs, Ta, authTicket |}) ∈ set evs; evs ∈ kerbIV_gets ]]

=⇒ authK /∈ range shrK & authK ∈ symKeys & authTicket =

Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key authK, Ta |} | authTicket ∈ analz (spies evs)"

hproof i

lemma Says_tgs_message_form:

" [[ Gets A (Crypt authK {|Key servK, Agent B, Ts, servTicket |}) ∈ set evs; authK ∈ symKeys;

7.5 Authenticity theorems: confirm origin of sensitive messages 95

evs ∈ kerbIV_gets ]] =⇒ servK /∈ range shrK &

( ∃ A. servTicket =

Crypt (shrK B) {|Agent A, Agent B, Key servK, Ts |}) | servTicket ∈ analz (spies evs)"

hproof i

7.5

Authenticity theorems: confirm origin of sensitive mes-

sages

lemma authK_authentic:

" [[ Crypt (shrK A) {|Key authK, Peer, Ta, authTicket |} ∈ parts (spies evs);

A /∈ bad; evs ∈ kerbIV_gets ]]

=⇒ Says Kas A (Crypt (shrK A) {|Key authK, Peer, Ta, authTicket |}) ∈ set evs"

hproof i

If a certain encrypted message appears then it originated with Tgs

lemma servK_authentic:

" [[ Crypt authK {|Key servK, Agent B, Number Ts, servTicket |} ∈ parts (spies evs);

Key authK /∈ analz (spies evs); authK /∈ range shrK;

evs ∈ kerbIV_gets ]]

=⇒ ∃ A. Says Tgs A (Crypt authK {|Key servK, Agent B, Number Ts, servTicket |}) ∈ set evs"

hproof i

lemma servK_authentic_bis:

" [[ Crypt authK {|Key servK, Agent B, Number Ts, servTicket |} ∈ parts (spies evs);

Key authK /∈ analz (spies evs); B 6= Tgs;

evs ∈ kerbIV_gets ]]

=⇒ ∃ A. Says Tgs A (Crypt authK {|Key servK, Agent B, Number Ts, servTicket |}) ∈ set evs"

hproof i

Authenticity of servK for B

lemma servTicket_authentic_Tgs:

" [[ Crypt (shrK B) {|Agent A, Agent B, Key servK, Number Ts |} ∈ parts (spies evs); B 6= Tgs; B /∈ bad;

evs ∈ kerbIV_gets ]] =⇒ ∃ authK.

Says Tgs A (Crypt authK {|Key servK, Agent B, Number Ts,

Crypt (shrK B) {|Agent A, Agent B, Key servK, Number Ts |}|}) ∈ set evs"

hproof i

Anticipated here from next subsection

lemma K4_imp_K2:

96 7 THE KERBEROS PROTOCOL, VERSION IV

∈ set evs; evs ∈ kerbIV_gets ]] =⇒ ∃ Ta. Says Kas A

(Crypt (shrK A)

{|Key authK, Agent Tgs, Number Ta,

Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key authK, Number Ta |}|}) ∈ set evs"

hproof i

Anticipated here from next subsection

lemma u_K4_imp_K2:

" [[ Says Tgs A (Crypt authK {|Key servK, Agent B, Number Ts, servTicket |}) ∈ set evs; evs ∈ kerbIV_gets ]]

=⇒ ∃ Ta. (Says Kas A (Crypt (shrK A) {|Key authK, Agent Tgs, Number Ta, Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key authK, Number Ta |}|})

∈ set evs

& servKlife + Ts <= authKlife + Ta)" hproof i

lemma servTicket_authentic_Kas:

" [[ Crypt (shrK B) {|Agent A, Agent B, Key servK, Number Ts |} ∈ parts (spies evs); B 6= Tgs; B /∈ bad;

evs ∈ kerbIV_gets ]] =⇒ ∃ authK Ta.

Says Kas A

(Crypt (shrK A) {|Key authK, Agent Tgs, Number Ta,

Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key authK, Number Ta |}|}) ∈ set evs"

hproof i

lemma u_servTicket_authentic_Kas:

" [[ Crypt (shrK B) {|Agent A, Agent B, Key servK, Number Ts |} ∈ parts (spies evs); B 6= Tgs; B /∈ bad;

evs ∈ kerbIV_gets ]]

=⇒ ∃ authK Ta. Says Kas A (Crypt(shrK A) {|Key authK, Agent Tgs, Number Ta, Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key authK, Number Ta |}|})

∈ set evs

& servKlife + Ts <= authKlife + Ta" hproof i

lemma servTicket_authentic:

" [[ Crypt (shrK B) {|Agent A, Agent B, Key servK, Number Ts |} ∈ parts (spies evs); B 6= Tgs; B /∈ bad;

evs ∈ kerbIV_gets ]] =⇒ ∃ Ta authK.

Says Kas A (Crypt (shrK A) {|Key authK, Agent Tgs, Number Ta,

Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key authK, Number Ta |}|})

∈ set evs

& Says Tgs A (Crypt authK {|Key servK, Agent B, Number Ts,

Crypt (shrK B) {|Agent A, Agent B, Key servK, Number Ts |}|}) ∈ set evs"

hproof i

Download now "Security Protocols. Gi..."

Outline

Related documents